TCP, SSL, Enable Host Verification by default

Make key/trust store types configurable; add a test with host violation.

* Fix some typos and code style in the related classed and docs
* Add asserts for the store type properties

Author: garyrussell

spring-integration-ip/src/main/java/org/springframework/integration/ip/tcp/connection/DefaultTcpNioSSLConnectionSupport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -24,22 +24,41 @@
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLParameters;
 
 import org.springframework.context.ApplicationEventPublisher;
 import org.springframework.util.Assert;
 
 /**
  * Implementation of {@link TcpNioConnectionSupport} for SSL
  * NIO connections.
+ *
  * @author Gary Russell
+ *
  * @since 2.2
  *
  */
 public class DefaultTcpNioSSLConnectionSupport extends AbstractTcpConnectionSupport implements TcpNioConnectionSupport {
 
-	private volatile SSLContext sslContext;
+	private final SSLContext sslContext;
+
+	private final boolean sslVerifyHost;
 
+	/**
+	 * Create an instance with host verification enabled.
+	 * @param sslContextSupport the ssl context support.
+	 */
 	public DefaultTcpNioSSLConnectionSupport(TcpSSLContextSupport sslContextSupport) {
+		this(sslContextSupport, true);
+	}
+
+	/**
+	 * Create an instance.
+	 * @param sslContextSupport the ssl context support.
+	 * @param sslVerifyHost true to verify the host during handshake.
+	 * @since 5.0.8
+	 */
+	public DefaultTcpNioSSLConnectionSupport(TcpSSLContextSupport sslContextSupport, boolean sslVerifyHost) {
 		Assert.notNull(sslContextSupport, "TcpSSLContextSupport must not be null");
 		try {
 			this.sslContext = sslContextSupport.getSSLContext();
@@ -48,6 +67,7 @@ public DefaultTcpNioSSLConnectionSupport(TcpSSLContextSupport sslContextSupport)
 			throw new IllegalArgumentException("Invalid TcpSSLContextSupport - it failed to provide an SSLContext", e);
 		}
 		Assert.notNull(this.sslContext, "SSLContext retrieved from context support must not be null");
+		this.sslVerifyHost = sslVerifyHost;
 	}
 
 	/**
@@ -56,8 +76,19 @@ public DefaultTcpNioSSLConnectionSupport(TcpSSLContextSupport sslContextSupport)
 	@Override
 	public TcpNioConnection createNewConnection(SocketChannel socketChannel, boolean server, boolean lookupHost,
 			ApplicationEventPublisher applicationEventPublisher, String connectionFactoryName) throws Exception {
+
 		SSLEngine sslEngine = this.sslContext.createSSLEngine();
 		postProcessSSLEngine(sslEngine);
+		if (this.sslVerifyHost) {
+			SSLParameters sslParameters = sslEngine.getSSLParameters();
+			if (sslParameters == null) {
+				sslParameters = new SSLParameters();
+			}
+			// HTTPS works for any TCP connection.
+			// It checks SAN (Subject Alternative Name) as well as CN.
+			sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+			sslEngine.setSSLParameters(sslParameters);
+		}
 		TcpNioSSLConnection tcpNioSSLConnection;
 		if (isPushbackCapable()) {
 			tcpNioSSLConnection = new PushBackTcpNioSSLConnection(socketChannel, server, lookupHost,

spring-integration-ip/src/main/java/org/springframework/integration/ip/tcp/connection/DefaultTcpSSLContextSupport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -32,12 +32,18 @@
  * Default implementation of {@link TcpSSLContextSupport}; uses a
  * 'TLS' (by default) {@link SSLContext}, initialized with 'JKS'
  * keystores, managed by 'SunX509' Key and Trust managers.
+ *
  * @author Gary Russell
+ *
  * @since 2.1
  *
  */
 public class DefaultTcpSSLContextSupport implements TcpSSLContextSupport {
 
+	private static final String DEFAULT_KEY_STORE_TYPE = "JKS";
+
+	private static final String DEFAULT_TRUST_STORE_TYPE = "JKS";
+
 	private final Resource keyStore;
 
 	private final Resource trustStore;
@@ -46,7 +52,11 @@ public class DefaultTcpSSLContextSupport implements TcpSSLContextSupport {
 
 	private final char[] trustStorePassword;
 
-	private volatile String protocol = "TLS";
+	private String protocol = "TLS";
+
+	private String keyStoreType = DEFAULT_KEY_STORE_TYPE;
+
+	private String trustStoreType = DEFAULT_TRUST_STORE_TYPE;
 
 	/**
 	 * Prepares for the creation of an SSLContext using the supplied
@@ -69,9 +79,30 @@ public DefaultTcpSSLContextSupport(String keyStore, String trustStore,
 		this.trustStorePassword = trustStorePassword.toCharArray();
 	}
 
-	public SSLContext getSSLContext() throws GeneralSecurityException, IOException  {
-		KeyStore ks = KeyStore.getInstance("JKS");
-		KeyStore ts = KeyStore.getInstance("JKS");
+	/**
+	 * Set the key store type. Default JKS.
+	 * @param keyStoreType the type.
+	 * @since 5.0.8
+	 */
+	public void setKeyStoreType(String keyStoreType) {
+		Assert.hasText(keyStoreType, "'keyStoreType' cannot be empty");
+		this.keyStoreType = keyStoreType;
+	}
+
+	/**
+	 * Set the trust store type. Default JKS.
+	 * @param trustStoreType the type.
+	 * @since 5.0.8
+	 */
+	public void setTrustStoreType(String trustStoreType) {
+		Assert.hasText(trustStoreType, "'trustStoreType' cannot be empty");
+		this.trustStoreType = trustStoreType;
+	}
+
+	@Override
+	public SSLContext getSSLContext() throws GeneralSecurityException, IOException {
+		KeyStore ks = KeyStore.getInstance(this.keyStoreType);
+		KeyStore ts = KeyStore.getInstance(this.trustStoreType);
 
 		ks.load(this.keyStore.getInputStream(), this.keyStorePassword);
 		ts.load(this.trustStore.getInputStream(), this.trustStorePassword);

spring-integration-ip/src/main/java/org/springframework/integration/ip/tcp/connection/DefaultTcpSocketSupport.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2002-2016 the original author or authors.
+ * Copyright 2002-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -19,25 +19,61 @@
 import java.net.ServerSocket;
 import java.net.Socket;
 
+import javax.net.ssl.SSLParameters;
+import javax.net.ssl.SSLSocket;
+
 /**
  * Default implementation of {@link TcpSocketSupport}; makes no
  * changes to sockets.
+ *
  * @author Gary Russell
+ *
  * @since 2.2
  *
  */
 public class DefaultTcpSocketSupport implements TcpSocketSupport {
 
+	private final boolean sslVerifyHost;
+
+	/**
+	 * Construct an instance with host verification enabled.
+	 */
+	public DefaultTcpSocketSupport() {
+		this(true);
+	}
+
+	/**
+	 * Construct an instance with the provided sslVerifyHost.
+	 * @param sslVerifyHost true to verify host during SSL handshake.
+	 * @since 5.0.8.
+	 */
+	public DefaultTcpSocketSupport(boolean sslVerifyHost) {
+		this.sslVerifyHost = sslVerifyHost;
+	}
+
 	/**
 	 * No-Op.
 	 */
+	@Override
 	public void postProcessServerSocket(ServerSocket serverSocket) {
 	}
 
 	/**
-	 * No-Op.
+	 * Enables host verification for SSL, if so configured.
 	 */
+	@Override
 	public void postProcessSocket(Socket socket) {
+		if (this.sslVerifyHost && socket instanceof SSLSocket) {
+			SSLSocket sslSocket = (SSLSocket) socket;
+			SSLParameters sslParameters = sslSocket.getSSLParameters();
+			if (sslParameters == null) {
+				sslParameters = new SSLParameters();
+			}
+			// HTTPS works for any TCP connection.
+			// It checks SAN (Subject Alternative Name) as well as CN.
+			sslParameters.setEndpointIdentificationAlgorithm("HTTPS");
+			sslSocket.setSSLParameters(sslParameters);
+		}
 	}
 
 }

spring-integration-ip/src/test/java/org/springframework/integration/ip/config/ParserUnitTests-context.xml

@@ -81,7 +81,9 @@
 	</bean>
 
 	<bean id="nioConnectionSupport"
-		class="org.springframework.integration.ip.tcp.connection.DefaultTcpNioSSLConnectionSupport" />
+		class="org.springframework.integration.ip.tcp.connection.DefaultTcpNioSSLConnectionSupport">
+		<constructor-arg ref="sslContextSupport" />
+	</bean>
 
 	<ip:tcp-connection-factory id="secureServer"
 		type="server"

spring-integration-ip/src/test/java/org/springframework/integration/ip/tcp/connection/PushbackTcpTests.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2017 the original author or authors.
+ * Copyright 2017-2018 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -401,7 +401,7 @@ public DefaultTcpNioSSLConnectionSupport connectionSupport() {
 					"test.truststore.ks", "secret", "secret");
 			sslContextSupport.setProtocol("SSL");
 			DefaultTcpNioSSLConnectionSupport tcpNioConnectionSupport =
-					new DefaultTcpNioSSLConnectionSupport(sslContextSupport);
+					new DefaultTcpNioSSLConnectionSupport(sslContextSupport, false);
 			tcpNioConnectionSupport.setPushbackCapable(true);
 			return tcpNioConnectionSupport;
 		}